Hardening Web browsers against man-in-the-middle and eavesdropping attacks

Existing Web browsers handle security errors in a manner that often confuses users. In particular, when a user visits a secure site whose certificate the browser cannot verify, the browser typically allows the user to view and install the certificate and connect to the site despite the verification failure. However, few users understand the risk of man-in-the-middle attacks and the principles behind certificate-based authentication. We propose context-sensitive certificate verification (CSCV), whereby the browser interrogates the user about the context in which a certificate verification error occurs. Considering the context, the browser then guides the user in handling and possibly overcoming the security error. We also propose specific password warnings (SPW) when users are about to send passwords in a form vulnerable to eavesdropping. We performed user studies to evaluate CSCV and SPW. Our results suggest that CSCV and SPW can greatly improve Web browsing security and are easy to use even without training. Moreover, CSCV had greater impact than did staged security training.

[1]  G. Hommel A comparison of two modified Bonferroni procedures , 1989 .

[2]  Mark Guzdial,et al.  Software-Realized Scaffolding to Facilitate Programming for Science Learning , 1994, Interact. Learn. Environ..

[3]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[4]  John M. Carroll,et al.  Training wheels in a user interface , 1984, CACM.

[5]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[6]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[7]  Trevor Perrin Public key distribution through "cryptoIDs" , 2003, NSPW '03.

[8]  José Carlos Brustoloni,et al.  Detecting and Blocking Unauthorized Access in Wi-Fi Networks , 2004, NETWORKING.

[9]  Ross J. Anderson Why cryptosystems fail , 1993, CCS '93.

[10]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[11]  Glen Zorn,et al.  Protected EAP Protocol (PEAP) Version 2 , 2004 .

[12]  Eric Rescorla,et al.  HTTP Over TLS , 2000, RFC.

[13]  Mark S. Ackerman,et al.  Privacy critics: UI components to safeguard users' privacy , 1999, CHI Extended Abstracts.

[14]  Angela Sasse,et al.  Humans in the Loop Human – Computer Interaction and Security , 2022 .

[15]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[16]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[17]  J. D. Tygar,et al.  Safe Staging for Computer Security , 2003 .

[18]  Gordon I. McCalla,et al.  Inspectable User Models for Just-In-Time Workplace Training , 1997 .

[19]  Ravi S. Sandhu Good-Enough Security: Toward a Pragmatic Business-Driven Discipline , 2003, IEEE Internet Comput..

[20]  Batya Friedman,et al.  Cookies and Web browser design: toward realizing informed consent online , 2001, CHI.

[21]  M F Huque,et al.  Some comments on frequently used multiple endpoint adjustment methods in clinical trials. , 1997, Statistics in medicine.

[22]  Diana K. Smetters,et al.  Moving from the design of usable security technologies to the design of useful secure applications , 2002, NSPW '02.

[23]  Alma Whitten,et al.  Making Security Usable , 2004 .

[24]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[25]  Alan F. Blackwell,et al.  The memorability and security of passwords – some empirical results , 2000 .

[26]  Wi-Fi Alliance,et al.  Wi-Fi protected access , 2003 .

[27]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[28]  Haidong Xia,et al.  Virtual prepaid tokens for Wi-Fi hotspot access , 2004, 29th Annual IEEE International Conference on Local Computer Networks.

[29]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[30]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[31]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.